Sensitive information in source code
Need
Protection of sensitive information in source code
Context
- Usage of TypeScript for type-checking and compiling JavaScript code
- Usage of Express for building web applications and APIs
Description
Non compliant code
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
const username = 'admin';
const password = 'password123';
// Authenticate user using hardcoded credentials
if (req.query.username === username && req.query.password === password) {
res.send('Login successful');
} else {
res.send('Invalid credentials');
}
});
app.listen(3000, () => {
console.log('Server started on port 3000');
});
The vulnerability in this code is that it contains sensitive information, specifically hardcoded credentials for authentication. The username and password are stored directly in the code, making them easily accessible to anyone who has access to the code repository.
This is a security risk because if an attacker gains access to the code, they can easily retrieve the hardcoded credentials and use them to gain unauthorized access to the system. Additionally, if the code is committed to a version control system like Git, the sensitive information will be stored in the repository's history, making it difficult to completely remove from the codebase.
To mitigate this vulnerability, it is recommended to remove the hardcoded credentials from the code. Instead, sensitive information like usernames and passwords should be stored securely in a separate configuration file or a key vault service. This ensures that the sensitive information is not exposed in the code itself and can be easily managed and updated without modifying the code.
Steps
- Remove the hardcoded sensitive information (username and password) from the code
- Store the sensitive information in a secure location such as environment variables or a configuration file
- Update the code to retrieve the sensitive information from the secure location
- Ensure that the secure location is properly encrypted and protected
- Consider using a secure authentication mechanism instead of hardcoded credentials
Compliant code
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
// Retrieve sensitive information from secure location
const username = process.env.USERNAME;
const password = process.env.PASSWORD;
// Authenticate user using retrieved credentials
if (req.query.username === username && req.query.password === password) {
res.send('Login successful');
} else {
res.send('Invalid credentials');
}
});
app.listen(3000, () => {
console.log('Server started on port 3000');
});
The fixed code addresses the vulnerability of sensitive information in the source code by implementing best practices for handling sensitive data.
-
The code imports the 'express' module and creates an instance of the express application.
-
The '/login' route is defined, which handles the login functionality.
-
Instead of hardcoding sensitive information like usernames and passwords in the code, the code retrieves them from secure locations using environment variables.
-
The 'process.env' object is used to access the environment variables. In this case, the 'USERNAME' and 'PASSWORD' environment variables are used to store the sensitive information.
-
When a user makes a GET request to the '/login' route, the code retrieves the username and password from the environment variables and compares them with the values provided in the request query parameters.
-
If the provided username and password match the values stored in the environment variables, the code sends a response of 'Login successful'. Otherwise, it sends a response of 'Invalid credentials'.
-
The application listens on port 3000, and a message is logged to the console indicating that the server has started.
By retrieving sensitive information from secure locations like environment variables, the code ensures that sensitive data is not exposed in the source code or the repository. This helps to mitigate the risk of unauthorized access to sensitive information.